Monthly Archives: March 2019

RBAC in Azure Kubernetes Service AKS on Twitch!

tldr; I will be streaming on Twitch next Monday (25th of March) at 8:30 Melbourne time (GMT+11), configuring Azure Kubernetes AKS to use RBAC.

Twitch logo

For a long while, I’ve been thinking about streaming live development to Twitch or YouTube. Having spent some time behind the microphone while making DotNetArabi podcast, I can say there is a satisfiying feeling in producing content in a media format through which you can connect with the audience.

Why not just offline video?

I could just record an offline video and host it on YouTube, and it’s definitely a valuable medium. The problem with educational videos, specifically, is that it is a one-way communication channel, and without the entertainment factor, unlike movies, these videos can be daunting, imprisoning, and hard to follow.

The magic of live streaming

But with live streaming magic happens; it adds additional dimensions that make it more appealing:

  1. It’s LIVE! It’s happening NOW, and this means couple of things: it implicitly has the anticipation factor; things are still happening and it might take interesting turns, just like live sports. In addition to that, by sharing the time span during which the event is happening, the audience gets the feeling of involvement and “I was there when it happened”, even if the audience didn’t directly interact with the broadcaster.
  2. It’s real and revealing: When I was doing my homework preparing for this, I talked to my colleague Thomas Koster, and when I asked him about what could interest him in live streaming, his answer was:
    …it’s probably more the real time nature of it that appeals – to see somebody’s thought processes in action, as long as the broadcaster doesn’t waste too much time going around in circles.
    For example, watching somebody figure out a puzzle solution in the game The Witness in real time is much more interesting and valuable than watching a rehearsed, prepared performance of only the final solution.

    This is the ultimate stage for a developer broadcaster; it requires a lot of bravery and experience. I’d love to be able to do this soon, but it’s really the 3rd reason below that drew me to streaming.

  3. It’s two-way communication: the interactive communication between the broadcaster and the audience brings the video to life. It provides timely opportunity to get the best out of this communication, whether it was by the audience correcting the broadcaster, or the broadcaster being available for immediate inquiries.

Specifically for this last reason, I became interested in live streaming; I want this relation with my audience; to have a collaborative experience where value is coming from everyone and going in all directions.

So, I am doing my first stream!

I have been following Jeff Fritz @csharpfritz and Suz Hinton @noopkat and greatly inspired by their amazing work! Also @geoffreyhuntley have started his journey and gave me the last nudge to jump into this space. I’ve learned a lot from Suz’s post “Lessons from my first year of live coding on Twitch“, and recently Jeff’s “Live Streaming Setup – 2019 Edition” (don’t let it scare you,  you don’t have to do it all!).

My next stream will be about Role Based Access Control (RBAC) in Azure Kubernetes AKS, I will walk you through RBAC, OAuth2 Device Flow, and how this works within Azure AKS, with hands-on live deployments and configuration.

What is my goal, and what is not?

What I am trying to achieve here is two-way communication through the session I have with my audience, that’s it.

Am I going to do this constantly now?

Actually, I don’t know! To me this is an experiment; I might keep doing it, or this might be my first AND LAST stream, let’s see what the future brings. 🙂

Fix “Mixed Content” When Using Cloudflare SSL And IIS Rewrites

In this post, I explain how I fixed the “mixed content” security issue when using Cloudflare Flexible SSL, and IIS Rewrite.

I Run Two Websites Under One Account Using IIS Rewrites

I have two websites that are hosted under one account with my hosting provider (I know!): and The way I do it is that is by using IIS Rewrite rules in my web.config; any request that is targeting one of these domains, I “rewrite” the URL so it is pointing to the sub-directory to serve the request. This changes where the file is served from, but does not change the request URL to the user.

However, if by any chance a request came to the server targeting the sub-directory itself,  that page will still be served as is, which is not desirable as I don’t want to expose the inner of my websites; it’s ugly and bad for my websites’ URL discovery. In this case, first I want to “redirect” the user to point to the domain without the sub-directory; and then run the rewrite rule as mentioned above, which I did.

In psudo, when a request comes the execution of the rules looks like this:

  1. Rule1: Does the URL include a sub-directory? If so then Redirect to the same URL without the sub-directory.
  2. Rule2: The URL does not include the sub-directory, so Rewrite (not Redirect) to the sub-directory.

I want to Serve My Websites Over HTTPS, But…

Now when I wanted to secure my websites and start using HTTPS to serve requests, thanks to Troy Hunt’s continuous nagging :P, I couldn’t just use normal certs with my hosting due to the way I am running it. So again, based on Troy Hunt’s awareness efforts, I used Cloudflare’s Flexible SSL free service.

This went fine until I discovered that engine of dotnetarabi generated guests images’s URLs including the sub-directory. When I open dotnetarabi over HTTP, the first request to these URLs is HTTPS, but of course containing the sub-directory, the second request though (which is a redirect to the URL without the sub-directory) is always coming back as HTTP! This caused the known “unsecure; mixed content” problem.

Simply, the reason is that:

  1. With Flexible SSL, Cloudflare communicates to your server view HTTP ALWAYS; you don’t have certs, this is why you need them in the first place!
  2. Cloudflare Flexible SSL doesn’t force HTTPS if you haven’t explicitly asked it to (via the Always Use HTTPS option). So if the request came view HTTP, it will pass it through as HTTP.

So in the the case of my redirects above, what happens is the following:

  1. The request comes to Cloudflare via HTTPS, the URL include the sub-directory
  2. The request is forwarded to my server via HTTP (NOT HTTPS!) to the sub-directory
  3. My server innocently redirects the request to the URL without the sub-directory, but using the same protocol the current request is using, which is HTTP because it will always be!
  4. The user receives the redirection to the new URL, but with the HTTP protocol this time, and then Cloudflare just passes it through because it does not force HTTPS.

The solution

The trick was that it’s true that Cloudflare does not use HTTPS when it forwards the request to your server, but what it does is that it adds the header X-FORWARDED-PROTO=https to the requests to your server if the original request was using HTTPS.

So, all what I needed to do is to check on this header in my redirects; if it exists then redirect to HTTPS, otherwise redirect to HTTP:

The Action part of my rule:

<action type="Redirect" url="{MapSSL:{HTTP_X_FORWARDED_PROTO}}{C:1}" appendQueryString="true" logRewrittenUrl="false" />
  <rewriteMap name="MapSSL" defaultValue="https://">
    <add key="https" value="https://" />
    <add key="http" value="http://" />